When we first encountered Green Armor Solutions, the start-up just had launched a simple but what looked to be effective technology to help Web site operators safeguard customers from phishing.

The company's Identity Cues for Web sites server software uses a one-way hash and a secret key to generate a small, colored box containing a colored word that is different for every visitor logging on to a site. Visitors come to associate this visual cue with the Web site; if they ever inadvertently click on a phisher's e-mail bait, they will recognize the site they are routed to as a phony because it won't have that cue.

Green Armor CEO Joseph Steinberg says a number of credit unions are using the product and the company has since released a complementary product, Identity Cues Two Factor, which is its answer to regulations calling for banks and other institutions to adopt stronger authentication methods.

For Two Factor, Green Armor starts with the assumption that consumers typically use only a few devices - a home or work computer, maybe a PDA - for sensitive online activity, such as banking and shopping.

When customers log on to a site, entering a user name and password, the server sends an e-mail containing an ID number to their known e-mail address. Plugging that number into the Web page validates the customer and sets off a process to associate that machine with that customer.

First a cookie is set, but because cookies can get hijacked, the server also does a heuristic analysis of the Web session, examining the variables particular to the user's device such as browser release and language preference. That adds up to two factors: something users know - their name and password - and something they have - a trusted device.

After that, the system is invisible to the user, Steinberg says. There is nothing to maintain, and the validation happens in the background.

Only after this process is complete does the visitor see Green Armor's visual cue, which lets them know they have reached the proper site.

An advantage of the company's approach is that it minimizes harm from man-in-the-middle schemes, in which phishers get users to surf to a phony site - a bank, say - and then harvest their input and proxy it in real time to the bank in question, keeping the spoof alive. With Identity Cues Two Factor, the bank will see the middle man isn't a trusted machine and won't respond.